As a Co-founder and Chief Product Officer, I am happy to read the latest Forrester WaveTM Bot Management, Q2 2022, where Cequence is named as a strong performer. Highlights from the report write up include “strong go-to-market and execution roadmap” and an “API-first strategy.” Reading positive words from a respected analyst is great, but there are several other reasons for me to be happy about this report.
This is our first participation in the Forrester WaveTM Bot Management report.
First off, I want to acknowledge that participating in the Forrester WaveTM process takes a lot of doing. It evaluates vendors using a 25 point selection criteria with a detailed questionnaire and demo. This is followed by customer references to validate vendors’ claims. Our tremendous growth in terms of customers, revenue and employees has enabled us to participate this time and we are delighted to do well in our first attempt. Having been through the process once, we have better appreciation and understanding of the process, and we are confident that we will do even better the next time.
Cequence is the only API Security vendor to be mentioned in this report.
The API Security market is a crowded space with many vendors offering a variety of capabilities on the spectrum. Almost all of them claim detection of bot attacks, like ATOs and resource exhaustion, since these are included in the OWAS API Top 10 list. Many of these vendors can only detect attacks and do not have native mitigation capabilities, instead relying solely on sending signals to a WAF or another tool. This is a very limiting approach in the Bot Management space. None of the API security vendors made it in this year’s the Forrester WaveTM Bot Management report. This report validates Cequence Security’s leadership position in the API Security space by stating – “Customers aligned with Cequence’s API-first vision should consider the vendor as a viable bot management option”.
Recognition of our advanced ML/AI that can handle bots’ evolution and evasion.
Our customers appreciated the product’s “ability to adapt to changes in bot behavior”. This is a huge accolade for us. All Cequence Security customers that Forrester referenced for this report, are Fortune 50 names and are a huge target for bots. In just these few reference customers, we are protecting roughly 1 billion API transactions per day. Some of these customers have been using our product for 6 years and together we have seen bots evolve from simple tools to Bot-as-a-Service with the level of sophistication outsmarting most other Bot Management vendors in the report. Our close partnership with our customers is a key reason for why Cequence Security has a never lost a customer and we have displaced the leaders in this report in many large enterprise accounts. Our investments in ML/AI, our product innovation and our key customers (who are prime targets for bots) has kept us ahead in the game of sustained efficacy.
Endorsement of our strategy.
Product dashboard and integrations.
Our product’s dashboard and its ability analyze and visualize each application/API traffic individually is unique in this space. So is our ability to import data feeds and export findings to enhance the overall efficacy of the solution and its value to customers. Security personnel love the detailed analysis from the ML/AI engine on each and every API call presented in the dashboard. The class of customers we serve cares deeply about false positives, as they negatively impact the end-user and ultimately the business. Having a detailed explanation of every detection helps them vet these results and adjust thresholds to provide optimum security with minimal false positives. Integrations into several security and fraud systems on suspicious but “not bad enough” API calls leads to overall higher efficacy of the security eco-system.
We also one fundamental disagreement with the report. It penalizes us for not having out-of-the-box list of good bots. It ignores the fundamental difference in our ML/AI and approach to this problem. Most other vendors have such lists, and they are based on certain HTTP headers, geo-IP information of good bots like search engines, marketing analytics, application performance monitors, etc. We don’t need such a list. Our ML/AI automatically learns good bot behavior from bad bots and automatically classifies them in out-of-the-box policies which govern how the good bots are managed. These behavior patterns are shared among industry peers when applicable. This approach reduces the burden on security operations people by not having to manually configure hundreds of good bots. Our customers love it because they don’t have to worry about changes to good bots and introduction of new good bots. With other vendors, customers are stuck with their vendors updating their static good bot list while Cequence customers automatically get the update based on the bot’s behavior, no configuration change needed.
Finally, no report of such kind is perfect and fair to all vendors. While we are pleased with our results, we do believe there is a bias towards vendors with higher number of customers, without any consideration to average customer value (ACV), average length of customer relationship. Not surprising that 2/3 leaders are CDN vendors, and the other 3rd focuses on mid-market customers. Why does this matter? It ignores the sophistication of bot attacks and sustained efficacy solutions must provide to continuously protect them from this ever-evolving threat. We will provide this feedback to Forrester and look forward to participating in the next cycle. Thank you, Forrester.